U.S. patent application number 10/310075 was filed with the patent office on 2004-03-25 for system and method for securely buffering content.
Invention is credited to Carr, Jeffrey Douglas.
Application Number | 20040060060 10/310075 |
Document ID | / |
Family ID | 31982299 |
Filed Date | 2004-03-25 |
United States Patent
Application |
20040060060 |
Kind Code |
A1 |
Carr, Jeffrey Douglas |
March 25, 2004 |
System and method for securely buffering content
Abstract
Systems and methods that securely buffer content are provided.
In one embodiment, a system may include, for example, a processor
and a memory. The memory may be coupled to the processor. Before
content leaves the processor for the memory, the processor may
secure the content. After the secured content enters the processor
from the memory, the processor may recover the content from the
secured content.
Inventors: |
Carr, Jeffrey Douglas;
(Poway, CA) |
Correspondence
Address: |
MCANDREWS HELD & MALLOY, LTD
500 WEST MADISON STREET
SUITE 3400
CHICAGO
IL
60661
|
Family ID: |
31982299 |
Appl. No.: |
10/310075 |
Filed: |
December 4, 2002 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
60413871 |
Sep 25, 2002 |
|
|
|
60419474 |
Oct 18, 2002 |
|
|
|
Current U.S.
Class: |
725/31 ;
348/E5.004; 348/E7.056; 386/E5.004; 725/145; 725/151 |
Current CPC
Class: |
G06F 21/10 20130101;
H04N 2005/91328 20130101; H04N 2005/91364 20130101; H04N 21/4627
20130101; H04N 21/47202 20130101; H04N 21/2347 20130101; H04N
21/2541 20130101; H04N 21/43615 20130101; H04N 7/1675 20130101;
H04N 21/4405 20130101; H04N 21/8355 20130101; H04N 21/426 20130101;
H04N 21/8193 20130101; H04N 21/4181 20130101; H04N 21/4367
20130101; H04N 5/913 20130101; H04N 21/23473 20130101; H04N 21/4753
20130101 |
Class at
Publication: |
725/031 ;
725/145; 725/151 |
International
Class: |
H04N 007/167; H04N
007/16 |
Claims
What is claimed is:
1. A system for securely buffering content, comprising: a
processor; and a memory coupled to the processor, wherein, before
content leaves the processor for the memory, the processor secures
the content, and wherein, after the secured content enters the
processor from the memory, the processor recovers the content from
the secured content.
2. The system according to claim 1, wherein the processor provides
copy protection to the content stored in the memory or to the
content transported between the processor and the memory.
3. The system according to claim 1, wherein the processor comprises
a first processor and a second processor, the first processor being
coupled to the second processor.
4. The system according to claim 3, wherein the first processor
comprises a transport processor, and wherein the second processor
comprises a decoder.
5. The system according to claim 3, wherein, before the content
leaves the first processor for the memory, the first processor
secures the content.
6. The system according to claim 5, wherein, after the second
processor receives the content secured by the first processor, the
second processor recovers the content from the secured content.
7. The system according to claim 3, wherein the first processor
comprises an encryptor, and wherein the second processor comprises
a decryptor that is capable of decrypting the content that has been
encrypted by the encryptor.
8. The system according to claim 3, wherein the processor comprises
a security block coupled to the first processor, to the second
processor and to the memory, and wherein the security block secures
the content transported from the first processor or the second
processor to the memory.
9. The system according to claim 8, wherein the security block
encrypts the content transported from the first processor or the
second processor to the memory.
10. The system according to claim 9, wherein the security block
decrypts the encrypted content received by the processor from the
memory.
11. The system according to claim 10, wherein the security block
decrypts the encrypted content transported from the memory to the
first processor or the second processor.
12. The system according to claim 1, wherein the processor
comprises one or more processors, and wherein the processor uses
one or more security schemes based upon from which of the one or
more processors the content originates.
13. The system according to claim 12, wherein the one or more
security schemes comprise one or more copy protection schemes, one
or more types of encryption or one or more content degradation
schemes.
14. The system according to claim 1, wherein the processor
comprises one or more processors and a security block, the one or
more processors being coupled to the security block, and wherein
the security block uses one or more security schemes based upon
from which of the one or more processors the content
originates.
15. The system according to claim 14, wherein the one or more
security schemes comprise one or more copy protection schemes, one
or more types of encryption or one or more content degradation
schemes.
16. A method for securely buffering content, comprising: applying a
particular security scheme to protect content before leaving a
signal processor for a storage device; and recovering the content
from the protected content after the protected content enters the
signal processor from the storage device.
17. The method according to claim 16, wherein applying the
particular security scheme comprises applying a particular
encryption scheme.
18. The method according to claim 16, wherein applying the
particular security scheme comprises applying a particular copy
protection scheme.
19. The method according to claim 16, wherein applying the
particular security scheme comprises applying a particular content
degradation scheme.
20. The method according to claim 19, wherein the particular
content degradation scheme comprises removing portions of the
content.
21. The method according to claim 16, wherein the signal processor
comprises one or more processors, and wherein the particular
security scheme applied is based upon from which of the one or more
processors the content originated.
22. A method for securely buffering content, comprising: decrypting
content received by a first processor of a signal processor, the
decrypting being performed by a first device adapted to decrypt a
first kind of encryption; encrypting the content sent from the
first processor to a memory before the content leaves the signal
processor, the encrypting being performed by a second device
adapted to perform a second kind of encryption; and decrypting the
content received by a second processor of the signal processor from
the memory after the content is received by the signal processor,
the decrypting being performed by a third device adapted to decrypt
the second kind of encryption.
23. The method according to claim 22, further comprising:
encrypting the content sent from the second processor to the memory
before the content leaves the signal processor, the encrypting
being performed by a fourth device adapted to perform a third kind
of encryption.
24. The method according to claim 23, wherein the second kind of
encryption is different in kind from the third kind of
encryption.
25. The method according to claim 23, wherein the signal processor
comprises a security block, the security block comprising the
second device, the third device and the fourth device.
26. The method according to claim 23, wherein the third device is
also adapted to decrypt the third kind of encryption.
27. The method according to claim 23, wherein the second processor
comprises the third device and the fourth device.
28. The method according to claim 22, wherein the signal processor
comprises a security block, the security block comprising the
second device and the third device.
29. The method according to claim 22, wherein the first processor
comprises the first device and the second device.
Description
RELATED APPLICATIONS
[0001] This application makes reference to, claims priority to and
claims benefit from U.S. Provisional Patent Application Serial No.
60/413,871, entitled "System and Method for Securely Buffering
Content" and filed on Sep. 25, 2002; and U.S. Provisional Patent
Application Serial No. 60/419,474, entitled "System and Method for
Securely Buffering Content" and filed on Oct. 18, 2002.
INCORPORATION BY REFERENCE
[0002] The above-referenced United States patent applications are
hereby incorporated herein by reference in their entirety.
BACKGROUND OF THE INVENTION
[0003] When digitally processing content (e.g., encoding or
decoding), memory may be used for buffering, for example,
intermediate results of a processing stage or for storing data as
it is passed from one processing stage to another. Although content
can be secured within a processing chip during a particular process
stage, the content is still vulnerable, for example, while being
written to, read from or held in a memory buffer.
[0004] FIG. 1 shows a block diagram illustrating an example of a
system in which content is not secured. The system 10 may include,
for example, a signal processing unit 30 coupled to an external
memory storage device 40 (e.g., a hard drive). The signal
processing unit 30 may be part of a set top box 20 that, for
example, receives audio and visual content over multiple channels.
The signal processing unit 30 is coupled to the external memory
storage device 40 via a connection 70. The signal processing unit
30 is also coupled to a connection 50 and to a connection 60.
Incoming content is typically encrypted when placed on the
connection 50 from a central content provider (not shown) to the
subscriber. The encrypted content is then decrypted, decoded or
otherwise processed by the signal processing unit 30. In processing
(e.g., decrypting, decoding, etc.) the incoming content, the signal
processing unit 30 uses the external memory storage device 40, for
example, for reading and writing content information, for buffering
content information during intermediate stages of processing, etc.
When the signal processing unit 30 finishes processing the incoming
content, the system 10 outputs the desired output content (e.g.,
audio/visual content for a channel for which access has been
authorized) on the connection 60 to another device (e.g., a display
device).
[0005] However, once the incoming content has been decrypted by the
signal processing unit 30, the content can become unsecured when
stored in the external memory storage device 40 or when sent or
received on the connection 70 between the signal processing unit 30
and the external memory storage device 40. Thus, unencrypted
content may be accessed or copied by accessing the external memory
storage device 40 or by tapping the connection 70 between the
signal processing unit 20 and the external memory storage device
40. Such unsecured content may then be rebroadcasted, retransmitted
or copied for delivery to an unintended or unauthorized
audience.
[0006] Further limitations and disadvantages of conventional and
traditional approaches will become apparent to one of ordinary
skill in the art through comparison of such systems with some
aspects of the present invention as set forth in the remainder of
the present application with reference to the drawings.
BRIEF SUMMARY OF THE INVENTION
[0007] Aspects of the present invention may be found in, for
example, systems and methods that securely buffer content. In one
embodiment, the present invention may provide a system that
securely buffers content. The system may include, for example, a
processor and a memory. The memory may be coupled to the processor.
Before content leaves the processor for the memory, the processor
may secure the content. After the secured content enters the
processor from the memory, the processor may recover the content
from the secured content.
[0008] In another embodiment, the present invention may provide a
method that securely buffers content. The method may include one or
more of the following: applying a particular security scheme to
protect content before leaving a signal processor for a storage
device; and recovering the content from the protected content after
the protected content enters the signal processor from the storage
device.
[0009] In yet another embodiment, the present invention may provide
a method that securely buffers content. The method may include one
or more of the following: decrypting content received by a first
processor of a signal processor, the decrypting being performed by
a first device adapted to decrypt a first kind of encryption;
encrypting the content sent from the first processor to a memory
before the content leaves the signal processor, the encrypting
being performed by a second device adapted to perform a second kind
of encryption; and decrypting the content received by a second
processor of the signal processor from the memory after the content
is received by the signal processor, the decrypting being performed
by a third device adapted to decrypt the second kind of
encryption.
[0010] These and other features and advantages of the present
invention may be appreciated from a review of the following
detailed description of the present invention, along with the
accompanying figures in which like reference numerals refer to like
parts throughout.
BRIEF DESCRIPTION OF THE DRAWINGS
[0011] FIG. 1 shows a block diagram illustrating an example of a
system in which content is not secured.
[0012] FIG. 2 shows a block diagram illustrating an embodiment of a
system that securely buffers content according to the present
invention.
[0013] FIG. 3 shows a flow chart illustrating an embodiment of a
process that securely buffers content according to the present
invention.
[0014] FIG. 4 shows a block diagram illustrating an embodiment of a
system that securely buffers content according to the present
invention.
[0015] FIG. 5 shows a block diagram illustrating an embodiment of a
system that securely buffers content according to the present
information.
[0016] FIG. 6 shows a block diagram of an embodiment of a security
device according to the present invention.
DETAILED DESCRIPTION OF THE INVENTION
[0017] FIG. 2 shows a block diagram illustrating an embodiment of a
system that securely buffers content according to the present
invention. The system 80 may include, for example, a signal
processing unit 100 and a storage device 1 10. The signal
processing unit 100 may be part of a set top box 90 that, for
example, receives audio and visual content over multiple channels.
The signal processing unit 100 may be, for example, an integrated
circuit (IC) chip mounted on a motherboard of the set top box 90.
However, the present invention need not be limited to set top
boxes. The signal processing unit 100 may be adapted to process
signals (e.g., decrypting, decoding, etc.) and may include, for
example, one or more processing units. The signal processing unit
100 may be coupled to the storage device 110 via a connection 140.
The signal processing unit 100 may also be coupled to a connection
120 and to a connection 130. The connections 120, 130, 140 may
include, for example, a wire connection, a fiber connection, a
cable connection or a wireless connection.
[0018] The storage device 110 may include, for example, an
electrical storage device, a mechanical storage device, a magnetic
storage device, an optical storage device, a storage network or any
combination thereof. In an embodiment that employs a set top box,
the storage device 110 may also be part of the set top box 90 or
may be external to the set top box 90. In one embodiment, the
storage device 100 may be part of the set top box, but external to
the signal processing unit 100. In another embodiment, the storage
device 100 and the signal processing unit 100 may be part of a chip
(e.g., an integrated chip). In yet another embodiment, the signal
processing unit 100 may include the storage device 110. For
example, the signal processing unit 100 may include the storage
device 100 and a plurality of processing blocks in which the
storage device 100 is external to the plurality of processing
blocks, but still part of the signal processing unit 100. The
present invention also contemplates other arrangements and
configurations of the storage device 100 in, for example, systems
and methods that securely buffer content.
[0019] Incoming content may typically be encrypted when placed on
the connection 120 from a central content provider (not shown) to a
subscriber. The encrypted content may then be decrypted, decoded or
otherwise processed by the signal processing unit 100. In
processing (e.g., decrypting, parsing, filtering, decoding, etc.)
the incoming content, the signal processing unit 100 may use the
storage device 110, for example, for reading and writing content
information, for buffering content information during intermediate
stages of processing, etc. When the signal processing unit 100
finishes processing the incoming content, the system 80 may then
output the desired content (e.g., audio/visual content for a
channel for which access has been authorized) on the connection 130
to another device (e.g., a display device). If the output is an
analog signal, then the signal may be sent without security.
Alternatively, the resolution of the analog signal may be degraded
so as to lower the signal resolution, thereby making it less
valuable. In one embodiment, a watermark may be applied to the
analog signal. If the output is a digital signal, then digital
signal may be secured via encryption (e.g., digital video interface
(DVI), 5C or other encryption schemes).
[0020] FIG. 3 shows a flow chart illustrating an embodiment of a
process that securely buffers content according to the present
invention. As described above, the signal processing unit 100 may
include one or more processing units that may use the storage
device 110 when processing content. In query 150, it may be
determined whether the signal processing unit 100 is sending
content to the storage device 110. If the signal processing unit
100 is sending content to the storage device 110, then the signal
processing unit 100 may secure the content before sending the
secured content to the storage device 110. The process may then be
completed. The signal processing unit 100 may secure the content
by, for example, applying a particular type of encryption, applying
a particular type of copy protection, degrading the content or
using other methods or combinations of methods that secure content.
The content may be degraded, for example, by removing a portion of
the content, periodically taking out pieces of the content,
scrambling portions of the content, encrypting portions of the
content or by other processes that degrade the content. In one
embodiment, the content may be video content and the content may be
degraded by partially or wholly degrading at least some I-frames.
The proportion of degradation may be a particular threshold level.
The selection of a particular method that may secure content may be
based on, for example, the type of content, content rate or from
which of the one or more processing units of the signal processing
unit 100 the content originates. Thus, for example, content being
sent from one kind of processing unit (e.g., a transport processing
engine) of the signal processing unit 100 to the storage device 110
may be secured by a first kind of encryption or copy protection
while content being sent from another kind of processing unit
(e.g., a video/audio decoding engine) of the signal processing unit
100 to the storage device 110 may be secured by a second kind of
encryption or copy protection. Furthermore, the content rate of
different processing units of the signal processing unit 100 may
determine which type of, for example, encryption/decryption schemes
may be used. For example, a transport processing engine may have a
different content rate than a video/audio decoding engine.
Accordingly, an encryption scheme that may be used with slower
content rates may be applicable for the transport processing
engine, but not with the video/audio decoding engine.
[0021] If the signal processing unit 100 is not sending content to
the storage device 110, then, in query 170, it may be determined
whether the signal processing unit 100 is receiving content from
the storage device 110. If the signal processing unit 100 is not
receiving content from the storage device 110, then the process may
be completed. If the signal processing unit 100 is receiving
content from the storage device 110, then, in step 180, the signal
processing unit 100 may recover content after receiving the secured
content. The process may then be completed. The signal processing
unit 100 may recover the content from the received secured content
by, for example, decrypting the encrypted content, removing the
copy protection from the copy protected content, enhancing the
received degraded content or other methods that recover content
from the received secured content. In one embodiment, the signal
processing unit 100 may apply a particular recovery scheme based
upon, for example, the particular processing unit in the signal
processing unit 100 that previously handled the content, the type
of content, the content rate (e.g., content processing rate) or the
particular processing unit in the signal processing unit 100 that
is requesting the content.
[0022] FIG. 4 shows a block diagram illustrating an embodiment of a
system that securely buffers content according to the present
invention. The system may include, for example, the signal
processing unit 100 and the storage device 110. Although the
storage device 110 is illustrated as being external to the signal
processing unit 100, as described above, the present invention also
contemplates that signal processing unit 100 may include the
storage device 110. The signal processing unit 100 may include, for
example, a first processing unit 190 and a second processing unit
200. The first processing unit 190 may be, for example, a data
transport engine of a personal video recording (PVR) system. The
second processing unit 200 may be, for example, a video and/or an
audio decoding engine. Although the present invention may find
application with, for example, PVR systems or set top boxes, the
present invention need not be so limited. Furthermore, although
illustrated with two processing units, the signal processing unit
100 may include more or less than two processing units. The first
processing unit 190 may include, for example, a first device 210
that secures content being sent to the storage device 110 and a
first device 220 that recovers content from secured content
received from the storage device 110. The second processing unit
200 may include, for example, a second device 230 that secures
content being sent to the storage device 110 and a second device
240 that recovers content from secured content received from the
storage device 110.
[0023] The signal processing unit 100 and the storage device 110
may be coupled via the connection 140. The first processing unit
190 may be coupled to a bus 250 which, in turn, may be coupled to
the connection 140. The first devices 210, 220 of the first
processing unit 190 may also be coupled to the bus 250. The second
processing unit 200 and the second devices 230, 240 of the second
processing unit 200 may also be coupled to the bus 250. The present
invention also contemplates that some couplings may be achieved via
direct connection. In one embodiment, the first processing unit 190
may be directly coupled to the second processing unit 200 without
the use of a bus (e.g., the bus 250). In another embodiment, the
first devices 210, 220 and the second devices 230, 240 may be
directly connected to the storage device 110.
[0024] In operation, a content stream may be received by the signal
processing unit 100. The incoming content stream may be initially
encrypted to secure content, for example, from a central content
provider to a remote subscriber. The initial decryption may be
accomplished by the first processing unit 190 or may be
accomplished before the content is received by the first processing
unit 190. The first processing unit 190 may receive the content via
the bus 250. The first processing unit 190 may process the content.
For example, the first processing unit 190 may provide the initial
decryption or may parse and filter content. During the processing
by the first processing unit 190, the first processing unit 190 may
buffer information in the storage device 110. Information to be
buffered in the storage device 110 may first be secured via the
first device 210. The first device 210 may, for example, encrypt,
copy protect or degrade the information before sending the secured
information to the storage device 110 via the bus 250 and the
connection 140. Secured information stored in the storage device
110 may also be read by the first processing unit 190. The first
device 220 may receive the secured information from the storage
device 110 via the connection 140 and the bus 250 and may recover
the information from the secured information. The first device 220,
for example, may decrypt encrypted information or may remove copy
protection from the copy protected information or may enhance
degraded information. When the processing is complete, the first
processing unit 190 may pass the information directly to the second
processing unit via the bus 250. Alternatively, when the processing
is completed, the first processing unit 190 may buffer the
information in the storage device 110 after securing the
information via the first device 210. The buffered and secured
information stored in the storage device 110 may first pass through
the second device 240 of the second processing unit 200 in which
the information is recovered from the secured information. Whether
the information is passed directly from the first processing unit
190 to the second processing unit 200 or the information is
recovered from secured information from the storage device 110 via
the second device 240, the second processing unit 200 may then
process the information. In one embodiment, the second processing
unit 200 may provide video and/or audio decoding. As described
above, intermediate processing steps of the second processing unit
200 may employ the storage device 110 as a buffer. The information
to be buffered may be secured via the second device 230 and may be
stored in the storage device 110 via the bus 250 and the connection
140. The buffered information may later be read by the second
processing unit 200 via the connection 140, the bus 250 and the
second device 240. The second device 240 recovering the information
from the buffered, secured information. Thus, in one embodiment,
the content passed via the connection 140 or stored in the storage
device 110 is secured.
[0025] Although each of the devices 210, 230 may use the same
security scheme and each the devices 220, 240 may use the same
scheme to recover content from the secured information, the present
invention also contemplates that different security schemes can be
used. The selection of security schemes may be preset or may be
based upon, for example, content type, content rate, origin of
content or destination of content. For example, content originating
from the first processing unit 190 may use a particular form of
encryption while content originating from the second processing
unit 200 may use a different form of encryption. Thus, the devices
220, 240 may be adapted to know from which processing unit the
secure content is coming. The content stream may be enhanced to
include such origination information.
[0026] FIG. 5 shows a block diagram illustrating an embodiment of a
system that securely buffers content according to the present
information. The system may include, for example, the signal
processing unit 100 and the storage device 110. Although the
storage device 110 is illustrated as being external to the signal
processing unit 100, as described above, the present invention also
contemplates that signal processing unit 100 may include the
storage device 110. The signal processing unit 100 may include, for
example, the first processing unit 190, the second processing unit
200, a bus 260 and a security device 270. Although illustrated as
two processing units, the signal processing unit 100 may include
more or less than two processing units. The first processing unit
190 and the second processing unit 200 may be coupled to the bus
260 which, in turn, may be coupled to the security device 270. The
security device 270 may be coupled to the storage device 110 via
the connection 140.
[0027] The security device 270 may perform a plurality of tasks and
functions and may accomplish them in parallel or in series. For
example, the security device 270 may be adapted to secure content
sent from the processing units 190, 200 to the storage device 110.
In addition, the security device 270 may be adapted to recover
content from secured content received from the storage device 110.
In addition, the security device 270 may include, for example, a
direct memory access (DMA) engine. Thus, content buffered by the
processing unit 190, 200 during processing may be directly stored
in the appropriate storage locations in the storage device 110.
Furthermore, buffered content may be read directly from the storage
device 110 and, after the content is recovered from the secured
content, may be forwarded to the appropriate processing unit 190,
200.
[0028] In operation, content processed by the first processing unit
190 or the second processing unit 200 may be buffered in the
storage device 110. The content to be buffered may be received by
the security device 270 which may secure the content before using
the DMA engine to write the secured content to a particular storage
location in the storage device 110. The type of security applied to
the content may depend upon, for example, content type, content
rate, source processing unit or destination processing unit. If the
first processing unit 190 or the second processing unit 200 needs
buffered content, then a read request may be sent to the security
device 270. The security device 270 may then read the particular
storage location of the storage device 110. The security device 270
may then receive the secured content and may recover the content
from the received secured content before forwarding the content to
the requesting processing unit.
[0029] FIG. 6 shows a block diagram of an embodiment of a security
device according to the present invention. The security device 270
may include, for example, a storage interface 280, a security
engine 290, a recovery engine 300, a buffer 310, a bus interface
320 and a controller 330. The bus 260 may be coupled to the bus
interface 320 which, in turn, may be coupled to the buffer 310. The
buffer 310 may be coupled to the security engine 290 and to the
recovery engine 300. The security engine 290 and the recovery
engine 300 may be coupled to the storage interface 280. Although
not explicitly shown, the controller 330 may be coupled with each
of the components of the security device 270.
[0030] In operation, the controller 330 of the security device 270
may receive a write request. Content that is to be buffered in the
storage device 110 may pass from the bus 260 to the bus interface
320. The content may then be stored in the buffer 310. The security
engine 290 may receive content from the buffer 310 and may secure
the content. The security engine 290 may, for example, encrypt the
content, copy protect the content or degrade the content. The
secured data may then be passed on to the storage interface 280.
The controller 330 may also provide storage control (e.g., direct
memory access) by writing the secured data in a particular location
in the storage device 110.
[0031] The controller 330 of the security device 270 may also
receive a read request. Content that is needed by the signal
processing unit 100 may be read using the controller 330. The
secured content may be received by the storage interface 280 via
the connection 140. The secured content may be passed to the
recovery engine 300. The recovery engine 300 may recover content
from the received secured content. The recovery engine 300 may, for
example, decrypt encrypted content, recover content from copy
protected content, or recover content from degraded content. The
recovered content may be buffered in the buffer 310 before being
sent to the appropriate processing unit in the signal processing
unit 100 via the bus interface 320 and the bus 260.
[0032] While the present invention has been described with
reference to certain embodiments, it will be understood by those
skilled in the art that various changes may be made and equivalents
may be substituted without departing from the scope of the present
invention. In addition, many modifications may be made to adapt a
particular situation or material to the teachings of the present
invention without departing from its scope. Therefore, it is
intended that the present invention not be limited to the
particular embodiment disclosed, but that the present invention
will include all embodiments falling within the scope of the
appended claims.
* * * * *